The flaw, which has been dubbed ALHACK, takes advantage of a vulnerability in the implementation of the Apple Lossless Audio Codec (ALAC).
This open-source software is used for lossless (aka CD quality) audio compression and has been available to use royalty-free for firms outside of Apple since 2011.
The Cupertino-based tech giant releases updates and security fixes for the software, however not every vendor that uses the software reportedly applies this.
Speaking about the threat, Check Point said: “The ALAC issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
“In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.”
According to Bleeping Computer, bad actors can take advantage of the vulnerability by sending a maliciously crafted audio file which the victim is tricked into opening.
Thankfully though, there is a way you can protect yourself from this threat today.
Both MediaTek and Qualcomm, after working closely with Check Point Research, released patches towards the end of last year to address these flaws.
So to ensure your Android device is safe make sure you download the latest security update available to you.
Speaking about the security threat, a Qualcomm spokesperson said: “Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available”.
Credit: Source link